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WHAT IS CLAIMED IS: 

1 1. A method of operating a communications network 

2 including a firewall comprising the steps of: 

3 monitoring delays associated with the closing of ports 

4 corresponding to communications sessions following the 

5 termination of said communications sessions as indicated by 

6 session control signals; and 

7 generating an alert signal when a monitored closing 

8 delay exceeds a preselected threshold. 

1 2. The method according to claim 1, further comprising 

2 the steps of: 

3 communicating said alert signal to a security 

4 management system; and 

5 operating said security management system to initiate 

6 at least one security operation in response to said alert 

7 signal. 

1 3. The method of claim 2, wherein said step of initiating 

2 at least one security operation includes: 

3 adjusting network routing to reduce the load on the 

4 firewall system which triggered said alarm signal. 

1 4. The method of claim 2, wherein said step of initiating 

2 at least one security operation includes: 

3 controlling the firewall at which said closing delay 

4 exceeding said threshold was detected to drop traffic until 

5 the detected closing delays at said firewall no longer 

6 exceed said threshold. 

1 5. The method of claim 2, wherein said step of initiating 
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2 at least one security operation includes: 

3 notifying a system administrator of said alarm 

4 condition. 



16. The method of claim 2, wherein monitoring delays 

2 associated with the closing of ports corresponding to 

3 communications sessions includes: 

4 transmitting test signals through a port corresponding 

5 to an established communications session; 

6 monitoring to detect said test signals which pass 

7 through said port; 

8 transmitting a signal to terminate said established 

9 communications session; and 

10 determining the time between transmitting said signal 

11 to terminate said established communications session and 

12 when the monitored test signals can no longer be detected 

13 passing through said port. 

17. The method of claim 6, wherein said test signals are 

2 IP packets and where said signal to terminate said 

3 established communications session is one of a SIP and an 

4 H.323 compliant signals. 

18. The method of claim 7, further comprising: 

2 monitoring delays associated with the opening of ports 

3 corresponding to communications sessions following the 

4 transmission of session initiation signals used to 

5 establish said communications session; and 

6 generating an opening delay alert signal when a 

7 monitored opening delay exceeds a preselected opening delay 

8 threshold. 
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9. A method of operating a communications network 
including a firewall comprising the steps of: 

monitoring delays associated with the opening of ports 
corresponding to communications sessions being initiated 
through the use of session control signals; and 

generating a alert signal when a monitored opening 
delay exceeds a preselected threshold. 

10. The method according to claim 9, further comprising 

the steps of : 

communicating said alert signal to a security 
management system; and 

operating said security management system to initiate 
at least one security operation in response to said alert 
signal . 

11. The method of claim 10, wherein said step of 
initiating at least one security operation includes: 

adjusting network routing to reduce the load on the 
firewall system which triggered said alarm signal. 

12. The method of claim 10, wherein said step of 
initiating at least one security operation includes: 

controlling the firewall at which said opening delay 
exceeding said threshold was detected to drop traffic until 
the detected opening delays at said firewall no longer 
exceed said threshold. 

13. The method of claim 10, wherein said step of 
initiating at least one security operation includes: 

notifying a system administrator of said alarm 
condition. 
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1 14. A communications system comprising; 

2 a firewall system responsive to session signals to 

3 open and close ports in response to the establishment and 

4 termination of communications sessions, respectively; 

5 means for monitoring said firewall to detect a port 

6 closing delay following a signal to terminate a 

7 communications session; and 

8 an alarm generation device for generating an alarm 

9 when a port closing delay is determined to exceed a 
10 preselected threshold. 

1 15. The communications system of claim 14, further 

2 comprising: 

3 a security management system for receiving alarms 

4 generated by said alarm generation device and for 

5 performing at least one security operation in response to 

6 said alert signal. 

1 16. The communications system of claim 15, wherein said at 

2 least one security operation is a routing change operation, 

3 said security management system including means for 

4 transmitting routing change information to at least one 

5 network router to redirect at least some communications 

6 traffic away from said firewall to thereby reduce the 

7 traffic load on said firewall. 

1 17. The communications system of claim 15, wherein said at 

2 least one security operation is a firewall control 

3 operation, said security management system including means 

4 for signaling said firewall to drop traffic to reduce the 

5 load on said firewall. 
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1 18. The communications system of claim 15, wherein said at 

2 least one security operation includes notifying a system 

3 administrator of said detected port closing delay exceeding 

4 said preselected threshold, said security management system 

5 including a graphical display for showing a graphical 

6 representation of the detected port closing delay 

7 information. 

1 19. The communications system of claim 15, wherein said 

2 means for monitoring said firewall to detect a port closing 

3 delay following a signal to terminate a communications 

4 session includes: 

5 a probe signal generator for generating test signals 

6 directed at a port associated with the communications 

7 session being terminated; and 

8 a signal analyzer for determining when said generated 

9 test signals cease passing through said port associated 

10 with the communication session following transmission of a 

11 signal to terminate said communications session. 

1 20. The communications system of claim 19, wherein said 

2 probe signal generator includes means for generating 

3 session signals used to initiate and terminate 

4 communications sessions conducted through said firewall. 

1 21. The communications system of claim 20, wherein said 

2 session signals are one of SIP signals and H.323 signals. 

1 22. The communications system of claim 20, wherein at 

2 least some of said test signals are IP packets. 



1 23. The communications system of claim 15, wherein said 
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2 security management system includes: 

3 means for receiving alarms from a plurality of 

4 different alarm generation devices located at different 

5 locations in said communications system; and 

6 means for analyzing alarms received from different 

7 alarm generation devices, over a period of time, to 

8 identify the location of one or more traffic sources 

9 causing alarms during said period of time. 

1 24. The communications system of claim 15, wherein said 

2 security management system includes: 

3 means for receiving alarms from a plurality of 

4 different alarm generation devices located at different 

5 locations in said communications system; and 

6 means for analyzing alarms received from different 

7 alarm generation devices, over a period of time, to predic 

8 the occurrence of future security alarms. 

1 25. A communications system comprising; 

2 a firewall system responsive to session signals to 

3 open and close ports in response to the establishment and 

4 termination of communications sessions, respectively; 

5 means for monitoring said firewall to detect a port 

6 opening delay following a signal to establish a 

7 communications session; and 

8 an alarm generation device for generating an alarm 

9 when a port opening delay is determined to exceed a 

10 preselected threshold. 

1 26. The communications system of claim 14, further 

2 comprising: 

3 a security management system for receiving alarms 
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4 generated by said alarm generation device and for 

5 performing at least one security operation in response 

6 said alert signal. 



